cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC-ARA:Mitigated Profiles in User Anlaysis

Former Member

on ‎09-23-2014 8:17 AM

0 Kudos

Hello Experts,

I am working on GRC ARA and have a query regarding Mitigated Profiles.

The scenario I am trying is, we have a User - USER_A, to which a Role - Role_B having risk is assigned. The Profile of this Role, say Profile_C is mitigated using Mitigated Profiles Link.

Also, Param Id 1033 -'Include Role/Profile Mitigating Controls in Risk Analysis', in AC configuration setting is set to 'YES'.

So, when we perform User Level Risk Analysis on USER_A, should the Mitigation done at Profile level be displayed in the result of User Analysis ?

Thanks in Advance.

Regards,

Hira

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member193066
Active Contributor
‎09-23-2014 4:49 PM
0 Kudos

well again.. its a business call.

i would not prefer to mitigate role or profile.always prefer to mitigate users.

when you run risk analysis at user level why you want to mitigate role or profile.

all the user who has the mitigate role will also get the control.

it might be risk for them not for this user.

thats my views.

Regards,

Prasant

Show replies
Show replies
Colleen
Advisor
Advisor
‎09-23-2014 8:21 AM
0 Kudos

Hi Hira

My approach is roles should be mitigated as there is a chance that the generated profile could change. Profile mitigation applies to single non-generated profiles.

Or do you mean mitigate the user or mitigate the role/profile?

Regards

Colleen

Show replies
Show replies
Former Member
‎09-23-2014 9:34 AM
0 Kudos

Hi Colleen,


Thanks for the reply.

My expectation here is if I am mitigating the Profile for a Risk, then the User associated to this profile via Role, should be mitigated.

The similar way it works for role, where if you mitigate the Role assigned to the User, using 'Mitigated Roles' Link, the User is shown is mitigated for that Risk if Param Id 1033 is set to 'Yes'.


Regards,

Hira

Former Member
‎09-23-2014 10:00 AM
0 Kudos

Hi Hira,

Conceptually you are right, but like Colleen mentioned; it would be a better approach to mitigate over roles rather to mitigate the profiles.

Profiles might change every time the role gets modified-->generated.

Keeping mitigation on profiles would not be having the updated details for the authorizations, but if you do mitigation over roles then it would have.

Hope this is clear now.

Regards,

Ameet

Colleen
Advisor
Advisor
‎09-23-2014 11:48 PM
0 Kudos

Hi Hira

Ameet and Prasant have responded with my thoughts already.

If you are running a user analysis you would focus on mitigating the user. If you mitigate role or profile then it applies to everyone - which you may not want. Also, is the risk inherent in the role or profile or is it due to a combination of roles?

You need to define the business process for how you want this to work. I usually aim for no inherent conflict.

Regards

Colleen

Ask a Question